Discussion:
[clamav-users] Ios.Trojan.FakeTelegram-6736161-0 FOUND
David Laxer
2018-12-06 19:08:43 UTC
Permalink
Hi,

I am running clamav-0.100.beta on OS X 10.11.6 and got the following messages
Ios.Trojan.FakeTelegram-6736161-0 FOUND

Here’s my clamscan invocation:

$ clamscan/clamscan -i -r --exclude-dir=/Volumes --exclude-dir=/dev --exclude-dir=/Users/davidlaxer/clamav-0.100.0-beta/test --max-filesize=100M /

I received the following three alerts:

/Users/davidlaxer/iTunes Media/Mobile Applications/7notesHD Prem 3.2.2.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/JapanGoggles 2.6.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/Memo 3.0.0.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND

Any suggestions?

Thanks in advance!

Best,
-Dave
Al Varnell
2018-12-06 21:09:54 UTC
Permalink
What kind of suggestion are you looking for?

They appear to be three different iPhone/iPad/iPod applications.

The signatures were added to the ClamAV database on 1 Nov 2018.

I would have to guess it has something to do with this Talos article:

<https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity <https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity>>

-Al-
ClamXAV User
Post by David Laxer
Hi,
I am running clamav-0.100.beta on OS X 10.11.6 and got the following messages
Ios.Trojan.FakeTelegram-6736161-0 FOUND
$ clamscan/clamscan -i -r --exclude-dir=/Volumes --exclude-dir=/dev --exclude-dir=/Users/davidlaxer/clamav-0.100.0-beta/test --max-filesize=100M /
/Users/davidlaxer/iTunes Media/Mobile Applications/7notesHD Prem 3.2.2.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/JapanGoggles 2.6.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND
/Users/davidlaxer/iTunes Media/Mobile Applications/Memo 3.0.0.ipa: Ios.Trojan.FakeTelegram-6736161-0 FOUND
Any suggestions?
Thanks in advance!
Best,
-Dave
Eric Tykwinski
2018-12-06 21:26:00 UTC
Permalink
Al,

I think you are probably right looking at it.
Post by Al Varnell
What kind of suggestion are you looking for?
They appear to be three different iPhone/iPad/iPod applications.
The signatures were added to the ClamAV database on 1 Nov 2018.
<https://blog.talosintelligence.com/2018/11/persian-stalker.html?utm_source=mosaicsecurity>
-Al-
ClamXAV User
I would just add a way to find the decoded sig like last time this was asked.

~# sigtool --find-sigs Ios.Trojan.FakeTelegram-6736161-0 daily.cld | sigtool --decode-sigs
VIRUS NAME: Ios.Trojan.FakeTelegram-6736161-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
PK
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
begir
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
Info.plist

Eric Tykwinski


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...